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Status of this Memo 


This document specifies an Internet standards track protocol for the 
Internet community, and requests discussion and suggestions for 


improvements. Please refer to the current edition of the "Internet 
Official Protocol Standards" (STD 1) for the standardization state 
and status of this protocol. Distribution of this memo is unlimited. 


1. Introduction 


This document describes the optional AUTH command, for indicating an 
authentication mechanism to the server, performing an authentication 
protocol exchange, and optionally negotiating a protection mechanism 


for subsequent protocol interactions. The authentication and 
protection mechanisms used by the POP3 AUTH command are those used by 
IMAP4. 


2. The AUTH command 


AUTH mechanism 


Arguments: 
a string identifying an IMAP4 authentication mechanism, 
such as defined by [IMAP4-AUTH]. Any use of the string 


"imap" used in a server authentication identity in the 
definition of an authentication mechanism is replaced with 
the string "pop". 


Restrictions: 
may only be given in the AUTHORIZATION state 


Discussion: 
The AUTH command indicates an authentication mechanism to 
the server. If the server supports the requested 


authentication mechanism, it performs an authentication 
protocol exchange to authenticate and identify the user. 
Optionally, it also negotiates a protection mechanism for 
subsequent protocol interactions. If the requested 
authentication mechanism is not supported, the server 
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should reject the AUTH command by sending a negative 
response. 


The authentication protocol exchange consists of a series 
of server challenges and client answers that are specific 
to the authentication mechanism. A server challenge, 
otherwise known as a ready response, is a line consisting 
of a "+" character followed by a single space and a BASE64 
encoded string. The client answer consists of a line 
containing a BASE64 encoded string. If the client wishes 
to cancel an authentication exchange, it should issue a 
line with a single "*". If the server receives such an 
answer, it must reject the AUTH command by sending a 
negative response. 


A protection mechanism provides integrity and privacy 
protection to the protocol session. If a protection 
mechanism is negotiated, it is applied to all subsequent 
data sent over the connection. The protection mechanism 
takes effect immediately following the CRLF that concludes 
the authentication exchange for the client, and the CRLF of 
the positive response for the server. Once the protection 
mechanism is in effect, the stream of command and response 
octets is processed into buffers of ciphertext. Each 
buffer is transferred over the connection as a stream of 
octets prepended with a four octet field in network byte 
order that represents the length of the following data. 
The maximum ciphertext buffer length is defined by the 
protection mechanism. 


The server is not required to support any particular 
authentication mechanism, nor are authentication mechanisms 
required to support any protection mechanisms. If an AUTH 
command fails with a negative response, the session remains 
in the AUTHORIZATION state and client may try another 
authentication mechanism by issuing another AUTH command, 
or may attempt to authenticate by using the USER/PASS or 
APOP commands. In other words, the client may request 
authentication types in decreasing order of preference, 
with the USER/PASS or APOP command as a last resort. 


Should the client successfully complete the authentication 
exchange, the POP3 server issues a positive response and 
the POP3 session enters the TRANSACTION state. 


Possible Responses: 


+OK maildrop locked and ready 
-ERR authentication exchange failed 
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Examples: 

S: +OK POP3 server ready 

C: AUTH KERBEROS_V4 

S: + AmFYig== 

C: BACAQU5SEUKVXLKNNVS 5FRFUAOCASho84kLN3/IJdmrMG+25a4DT 
+nZImJ jnTNHJUt xAA+o0KPKf£HECAFs 9a3CL50ebe/ydHJUwYFd 
WwuQ1MWiy6lesKvjL5rL9WjXUb9MwT 9bpObYLGOKi1QOh 
+ or//EOAADZI= 
DiAF5A4gA+oOIALUBkAAmw== 
S: +OK Kerberos V4 authentication successful 


CYA 


AUTH FOOBAR 
S: -ERR Unrecognized authentication type 


Q 


Note: the line breaks in the first client answer are 
for editorial clarity and are not in real authentica- 
tors. 
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3. Formal Syntax 


The following syntax specification uses the augmented Backus-Naur 
Form (BNF) notation as specified in RFC 822. 


Except as noted otherwise, all alphabetic characters are case- 
insensitive. The use of upper or lower case characters to define 
token strings is for editorial clarity only. Implementations MUST 
accept these strings in a case-insensitive fashion. 


ATOM_CHAR ::= <any CHAR except atom_specials> 

atom_specials SoM fey fw of SPACE. Sf CTLs if NET- yo TÆ 
<> / myn 

auth ::= "AUTH" 1* (SPACE / TAB) auth_type *(CRLF base64) 
CRLF 

auth_type ::= 1*ATOM_CHAR 

base64 ::= * (4base64_CHAR) [base64_terminal] 

base64_char ¿:= "an / "B" i wo / "D" / "H" / "p" / won / "H" / 

" I " / " Vi / "KN / LU / "MT if "N" / "wow / "P " i 

"or / " R" / " S " / " T " / "yr / wy" / ww" / my j 
"yn j WAN / 
" aT / "ha / " c " / e ka f Ta " / " En / ro" / "hh" J 
" a; " / " j " / " k" / " $ " / "Mm" / Wat / " oO " if. ToT / 
"qn / " r" / " s " 7: mi " rh my" / LY fa / ww" / Ny" / 
thy J Ran vA 
" 0 " / " 1 " / WD " / " 3 " / " 4 " / " 5 " f " 6" / " 7 " / 
" 8 " f " 9g" rh Tn / " / " 
;; Case-sensitive 

base64_terminal = (2base64_char "==") / (3base64_char "=") 

CHAR ::= <any 7-bit US-ASCII character except NUL, 


0x01 - Ox7f£> 


continue_req ::= "+" SPACE base64 CRLF 

CR ::= <ASCII CR, carriage return, 0x0C> 
CRLF ::= CR LF 

CTL ::= <any ASCII control character and DEL, 


0x00 - Oxlf, Ox7f> 
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LF ::= <ASCII LF, line feed, Ox0A> 


SPACE 


<ASCII SP, space, 0x20> 


TAB ::= <ASCII HT, tab, 0x09> 


4. References 


[IMAP4-AUTH] Myers, J., “IMAP4 Authentication Mechanisms", RFC 1731, 
Carnegie Mellon, December 1994. 


5. Security Considerations 


Security issues are discussed throughout this memo. 
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